e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
Size

1.1MB
MD5

038e3876a3bc0768ebe5e78606cf590e
SHA1

dd727d94729385f6450e048f86d3ab4622652a9f
SHA256

e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207
SHA512

97cfd6a5785c820c79e1c8aa6d01653746447c21fb1c853c0156638a562daf7354a51cff8a9aa75a604d6a0a1267129d7a928eee312acc7946ec9120ae10a8e2
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5QI:CcaClSFlG4ZM7QzMv

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3656	svchcst.exe

Executes dropped EXE 2 IoCs

pid	Process
3656	svchcst.exe
2708	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe
3656	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
3656	svchcst.exe
3656	svchcst.exe
2708	svchcst.exe
2708	svchcst.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1244 wrote to memory of 2220	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	87
PID 1244 wrote to memory of 2220	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	87
PID 1244 wrote to memory of 2220	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	87
PID 1244 wrote to memory of 3724	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	88
PID 1244 wrote to memory of 3724	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	88
PID 1244 wrote to memory of 3724	1244	e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe	88
PID 3724 wrote to memory of 3656	3724	WScript.exe	95
PID 3724 wrote to memory of 3656	3724	WScript.exe	95
PID 3724 wrote to memory of 3656	3724	WScript.exe	95
PID 2220 wrote to memory of 2708	2220	WScript.exe	94
PID 2220 wrote to memory of 2708	2220	WScript.exe	94
PID 2220 wrote to memory of 2708	2220	WScript.exe	94

C:\Users\Admin\AppData\Local\Temp\e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe
"C:\Users\Admin\AppData\Local\Temp\e7b7e1196063e2ee21b049f5a18a86892949a86a810cba6b06ba72ac23dd1207.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2708
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3724
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
1aa7eb3e40083c3d0af70463cd1a47d3

SHA1
c55ddeee602996a6b5e46bef9005b1a6e49f6f4b

SHA256
9a01790af79194ede4de0d6a8a18c37e89884c38f2d138ebc9bc81892f332af9

SHA512
659623a9809e45cdbe0add5b79afd62f70dcbb28bdaab34ae5ef4b0ffd0191ef2d46dd9d3ec96ac265a0cb30003ae00bdf5f56d9f2311a2e7839be0dcb740b1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
0a9821b3dc478c32e06172a6042f1621

SHA1
99c8aae80aa68dae81d0f72eb3392c43045bac11

SHA256
858b07e012a7b3e1244f9c1c2e1a4ead52f29fbc549d15f9458f83c04edc6a7a

SHA512
08c5d6672947fb712cbb4d7e41fe41ed96ec9590e645249f82f0c671755641bbdd89f79685793caf8ad30b42ba8a2dc030e1581af766ba2ddc3613b2f7a5d18e

Download Submit